“If you have only a single computer, then it’s possible for you
to spend your days giving it careful manual scrutiny for mischiefs
and problems. Perhaps not entirely desirable, but possible. But in
the real world we need good tools to monitor and warn us of
mischiefs, so we can actually go outside and have a life every so
often. Intrusion detection is one of those gnarly jobs that can
make you paranoid and nervous–it seems the more you study it, the
more difficult, scary, and unreliable it appears. But it’s really
not that bad, and Linux admins have a number of powerful tools to
choose from. The best tactic is a layered approach that combines
the oldies but goodies, like Snort and iptables, add some
newfangled tools like psad and AppArmor or SELinux, throw in some
nice analysis tools, and you’re darn near state-of-the-art.“The oldtime notion of intrusion detection was to be alerted
when an intruder successfully gained root access. But in these
modern times, and actually in olden times too, any user account on
the machine could be used for mischief…”